The lack of cybersecurity talent relative to enterprise demand for it is strangling many enterprises’ ability to secure their organizations. That’s what I’m hearing, repeatedly, in my conversations with CIOs and CISOs alike. They lament how they are challenged to find the people they need to adequately defend and respond to attacks against and within their networks, as well as security analysts and architects. If you can communicate security risk in terms of business risk, know how to build defensible networks and applications, or understand how cloud and IoT are changing data and infrastructure risk, you are hardly in want for a job.
The data security challenges for global enterprises are significant. Enterprise architectures are evolving swiftly and new development paradigms are rising – all while more types of enterprise and customer data are being created than ever before. They’re also scattered across more systems and devices than ever before. It’s the rare person who not only can keep up with all of these technological changes but also know how to help design the secure architectures, systems, and processes around them.
What is an enterprise management team, or board of directors, CSO, or CISO to do when it comes to building the team needed to successfully protect their applications, data, and intellectual property? It’s a hard question to answer, and it’s not going to get any easier to answer any time soon. When it comes to what enterprises are doing now, it’s clear that many are not doing themselves any favors in regard to attracting and cultivating cybersecurity talent.
What are they doing wrong, specifically? For starters, many human resources departments don’t understand cybersecurity skillsets. They view information security as predominantly a subset of the IT department, and they mostly rely (blindly) on certifications and degrees and not enough on innate security problem solving skills. Even the U.S. government is having challenges hiring the talent it needs because of controversial hiring standards and culture clashes (piercings and dyed hair aren’t common at the FBI, for starters) and lower pay than can be found elsewhere. This story, Government Hiring Practices Hamper Cybersecurity Efforts, provides a good overview of the ongoing situation.
The pressure to hire properly isn’t going to go away as long as we see increased focus on nation-state cyber espionage and attacks, and the significant need to harden the systems in critical infrastructure. Additionally, traditional training doesn’t keep pace in producing security skills needed with constant changes in mobility, cloud architectures, virtualization, containerization, Internet connected devices (IoT), and others.
Many of the CISOs I’ve spoken to in industries such as financial services and health care contend that their industries are at 100% employment when it comes to information security positions. That’s not sustainable. We’ve been here before, of course: in the 80s and 90s and just before the dotcom bubble burst. In those days, if you had the right skill set, finding a job was not a problem. There are many such positions that firms are having a hard time fulfilling: cyber security analysts and engineers, software and systems engineers, and others.
Over the past few months, I’ve spoken with CISOs who say they have a hard time even finding interview candidates that they’d like to speak with for senior security positions.
So what is a company to do?
Here’s a start:
Mentoring program. One of the most important things an enterprise can do to cultivate security talent is to mentor young professionals who show an interest in cybersecurity. Have them work under seasoned information security professionals and provide clear goals and paths for their career growth.
Pay Competitively. This advice should go without saying, but many enterprises view information security as a technical role (which some positions are) but when it comes to mitigating risks, it’s more of a risk management function, and higher pay is necessary. It’s surprising the low pay that some organizations offer when they try to fill security positions that require years of experience and high levels of skills and aptitude. I know; I often get emails forwarded to me by those in the hunt. There’s no way around it: to compete for them, enterprises must pay competitively.
Work with local colleges and universities. It was only a handful of years ago when information security was a field of self-taught technologists: people who liked to take things apart and reassemble them into something new, or use technologies in novel ways that the creator may not have anticipated. While this hardy breed of hacker still exists, more are being educated in the field of cybersecurity in universities. In recent years, more universities have initiated cybersecurity programs. Work with these schools to provide input into the curriculum (these schools don’t always know what private industry needs) and see if partnerships can be created to provide some students with practical work experience.
Make it clear that data security is part of everyone’s job. While this won’t solve any security talent shortages directly, it will go a long way to helping secure your digital assets and infrastructure, as well as stretch the value of the security pros you do have in place. This effort would include broad cybersecurity awareness training for most every employee, security-specific training for IT operations teams, and secure coding training for developers.
Create a place they want to work. If you want to avoid cybersecurity brain drain, create a place where security professionals want to work. Provide adequate training and ensure that security is involved in the development processes and that the security team has the support of senior management, including the board of directors, if applicable.
Because the best way to ensure your organization isn’t stuck shopping on the open market for security talent, do whatever you can to keep those you have already in-house.